https://bugs.openldap.org/show_bug.cgi?id=9583
Issue ID: 9583
Summary: possible memory corruption in avl_buildlist
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: libraries
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
In the excerpt below: if avl_maxlist is large enough then address
(NULL + avl_maxlist * sizeof(pointer))
may be mapped into the address space. If ber_memrealloc fails,
avl_list[avl_maxlist]=… will corrupt program state before it eventually crash.
libraries/libldap/avl.c:
> static int slots;
> static int
> avl_buildlist( void* data, … ) {
> if ( avl_list == 0 ) {
> slots = 100;
> avl_list = ber_memalloc(100 * sizeof(void*));
> …
> } else if ( avl_maxlist == slots ) {
> slots += 100;
> avl_list = ber_memrealloc( avl_list, slots * sizeof(void*));
> …
> }
> avl_list[ avl_maxlist++ ] = data;
Be advised please that this issue has been reported by accidental visitor, from
a developer point of view, not a user point of view, so I won't define, provide
or construct any “valid use case”.
--
You are receiving this mail because:
You are on the CC list for the issue.
